search

paritytech / polkadot-sdk

The Parity Polkadot Blockchain SDK
https://polkadot.network/
1.8k stars 652 forks source link

Bug v1.16.0-rc1 (stable2409) RPC call is unsafe to be called externally #5677

Closed BulatSaif closed 2 weeks ago

BulatSaif commented 2 weeks ago

Is there an existing issue?

Experiencing problems? Have you tried our Stack Exchange first?

Description of bug

Before polkadot:v1.16.0, unsafe RPC methods were exposed by default if the RPC was open to localhost. This behavior has changed (accidentally?), but the help documentation has not been updated.

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1 --help | grep -A 10 rpc-methods
      --rpc-methods <METHOD SET>
          RPC methods to expose.

          [default: auto]

          Possible values:
          - auto:   Expose every RPC method only when RPC is listening on `localhost`, otherwise
            serve only safe RPC methods
          - safe:   Allow only a safe subset of RPC methods
          - unsafe: Expose every RPC method (even potentially unsafe ones)

Example:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1  --chain rococo-local 
Starting binary polkadot
2024-09-11 12:08:23 Parity Polkadot    
2024-09-11 12:08:23 ✌️  version 1.16.0-a427d8fb677    
2024-09-11 12:08:23 ❤️  by Parity Technologies <admin@parity.io>, 2017-2024    
2024-09-11 12:08:23 📋 Chain specification: Rococo Local Testnet    
...
2024-09-11 12:08:30 Running JSON-RPC server: addr=127.0.0.1:9944, 
curl -H "Content-Type: application/json" --data '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x11","aura"],"id":1 }' localhost:9944
{"jsonrpc":"2.0","id":1,"error":{"code":-32601,"message":"RPC call is unsafe to be called externally"}}

Workaround: set rpc-methods manually . 

--rpc-methods=unsafe

Steps to reproduce

On host:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1 --chain rococo-local
docker exec -it -u 0 CONTAINER_ID bash

Inside the container, run any unsafe rpc (you can install curl or use the bash script below):

pcurl() { exec 4<>/dev/tcp/127.0.0.1/9944 && echo -e 'POST / HTTP/1.1\nHost: 127.0.0.1:9944\nContent-Type: application/json\nContent-Length: '$(echo -n $1| wc -c)'\n\n'$1'0x0'  >&4 && cat <&4 ; }
pcurl '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x1","aura"],"id":1 }'
#Output:
  {"jsonrpc":"2.0","id":1,"error":{"code":-32601,"message":"RPC call is unsafe to be called externally"}}HTTP/1.1

It is important to run curl inside of the container, to have same network.

Expected behavior: 

docker run -it --rm -p 9944:9944  parity/polkadot:v1.15.2 --chain rococo-local
pcurl '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x1","aura"],"id":1 }'
#Output:
     {"jsonrpc":"2.0","result":false,"id":1}HTTP/1.1
ggwpez commented 2 weeks ago

Maybe this one https://github.com/paritytech/polkadot-sdk/pull/4792 ? @niklasad1 do you know if this here is desired behaviour or not?

niklasad1 commented 2 weeks ago

It wasn't intended to break this, lemme check

Thanks Bulat, I have opened a PR to fix this